Connecting to a kerberized Impala daemon
impala-shell session you can connect to an impalad daemon
to issue queries. When you connect to an impalad, it coordinates the execution of all
queries sent to it. You can run
impala-shell to connect to a Kerberized
Impala instance over HTTP in a cluster.
Kerberos is an enterprise-grade authentication system Impala supports. Kerberos provides strong security benefits including capabilities that render intercepted authentication packets unusable by an attacker. It virtually eliminates the threat of impersonation by never sending a user's credentials in cleartext over the network. Cloudera recommends using impala-shell with Kerberos authentication for strong security benefits while accessing an Impala instance.
- Locate the hostname that is running the impalad daemon.
- 28000 is the default port impalad daemon uses to transmit commands and receive results from client applications over HTTP using the HiveServer2 protocol. Ensure that this port is open.
- Ensure that the host running impala-shell has a preexisting
kinit-cached Kerberos ticket that
impala-shellcan pass to the impala server automatically without the need for the user to reenter the password.
- To override any client connection errors, you should run the Kinit command to retrieve the Ticket Granting Ticket or to extend it if it has already expired.
To enable Kerberos in the Impala shell, start the
impala-shellcommand using the -k flag.
impala-shellto communicate with the Impala daemon over HTTP through the HiveServer2 protocol, specify --protocol=hs2-http as the protocol.
impala-shell -i xxxx-cdh-7-2-3.vpc.cloudera.com -k --protocol=hs2-http Starting Impala Shell with Kerberos authentication using Python 2.7.5 Using service name 'impala' Warning: --connect_timeout_ms is currently ignored with HTTP transport. Opened TCP connection to xxxx-cdh-7-2-3.vpc.cloudera.com:28000 Connected to xxxx-cdh-7-2-3.vpc.cloudera.com:28000 Server version: impalad version 4.0.0-SNAPSHOT RELEASE (build d18b1c1d3f7230d330b58928513c20e90bab0153)